12 lines
862 B
Plaintext
12 lines
862 B
Plaintext
|
|
rule TrojanClicker_BAT_Rullanu_A{
|
|
meta:
|
|
description = "TrojanClicker:BAT/Rullanu.A,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 02 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {72 05 00 00 70 28 90 01 01 00 00 90 01 01 72 13 00 00 70 28 90 01 01 00 00 90 01 01 28 90 01 01 00 00 90 01 01 0a 90 02 05 06 72 4b 00 00 70 90 02 05 16 fe 01 0b 07 2d 90 01 01 00 90 02 05 17 28 90 01 01 00 00 90 01 01 00 00 2a 90 00 } //01 00
|
|
$a_03_1 = {7e 02 00 00 04 7e 90 01 01 00 00 0a 17 90 01 05 16 fe 01 0c 08 2d 90 01 01 00 28 90 01 01 00 00 06 00 90 02 0a 1f 1c 28 90 01 01 00 00 90 01 01 72 01 00 00 70 7e 90 01 01 00 00 04 28 90 01 01 00 00 90 01 01 0a 28 90 01 01 00 00 06 00 7e 90 01 01 00 00 04 06 28 90 01 01 00 00 06 00 90 02 05 28 90 01 01 00 00 90 01 01 00 90 02 05 16 28 90 01 01 00 00 90 01 01 00 73 90 01 01 00 00 06 0b 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |